The CAPTCHA game

One of my co-panelists yesterday at the Gilbane Conference was Matt May, a Web accessibility specialist with the W3C. Afterward Matt told me about his paper on CAPTCHA, the Carnegie Mellon project whose acronym expands (sort of) to "completely automated public Turing test to tell computers and humans apart." The images shown to the right, which come from Yahoo's registration page, are familiar examples of the technique. If it's been a while since you've visited that page, you may find these visual puzzles more challenging than you remember. I think that's probably because they are. According to Matt, the arms race between puzzle makers and puzzle breakers has been heating up.

Matt's paper lists a series of alternatives. One is an audio version of the visual puzzle. Here, for example, is a Hotmail visual CAPTCHA:

If you can't see the letters, you can try to hear them. According to this article cited by Matt, one such audio file "was unintelligible to four out of four CNET News.com reporters, all with good hearing, who tried to decipher it." The audio test I've reproduced here doesn't seem that bad. Arguably, it's more intelligible than the visual test. But then, the aural arms race hasn't been going on as long as the visual one, so presumably the noise introduced to foil robots will only grow more intrusive over time.

Another alternative is the logic puzzle. The technique is nicely illustrated on Rael Dornfest's weblog. In an effort to limit comment spam, Rael's comment form generates a simple arithmetic problem like so:

5 + 2 = (to prove you're not a bot)

This approach is definitely easier to use. If it becomes widespread, I suspect it will also turn out to be easier to defeat.

Ultimately, of course, it's the lack of a portable digital identity that drives us to these bizarre schemes. As Matt's paper notes, federated identity systems such as Passport and Liberty Alliance attack that underlying problem, but fail the ubiquity test.

Will Skip Networks' lightweight and web-friendly approach to portable identity gain the traction that everyone yearns for? The experiment is now underway. (For an excellent overview, listen to Doug Kaye's Scott Mace's audio interview with Sxip's founder Dick Hardt.) Over the next year or so, we'll see whether this approach -- which initially targets bloggers and developers -- can cross over to the mainstream.

Meanwhile, until a real solution finally shakes out, Matt May's point is well taken. Any scheme that relies on perceptual or cognitive talents, in order to distinguish humans from robots, will necessarily discriminate against some population of humans. If you're using such an approach, accessibility dictates that you offer several alternatives.

Update: I'd heard of the ESP game, but hadn't realized that it was inspired by an attack on CAPTCHA in which spammers get porn-site visitors to classify images:

Someone designed a software robot that would fill out a registration form and, when confronted with a CAPTCHA test, would post it on a free porn site. Visitors to the porn site would be asked to complete the test before they could view more pornography, and the software robot would use their answer to complete the e-mail registration.

It's not a practice that rapidly or easily overcame the CAPTCHA test, but the tactic of getting humans to unwittingly do cognitive work for a computer program inspired [Luis] Von Ahn to develop the ESP Game. [post-gazette.com]
Yoz Grahame, who pointed me to this article, says the practice is called CAPTCHA-farming, and expands on the idea in this whimsical item: Goodbye CAPTCHAs, hello distributed porn-powered processing. Another reader, Gary Murphy, notes that BoingBoing reported on the same idea.


Former URL: http://weblog.infoworld.com/udell/2004/12/01.html#a1124